Because the checkList
function has no modifier to validate if msg.sender == santa
, a malicious user can benefit from that and cause malfunction of the contract.
Lets consider the following scenario. Alice was nice this year and because of that, she earned status of NICE
. Bob was extra nice and received status EXTRA_NICE
. However Eve was naughty and received NAUGHTY
status. She won't receive present but doesn't want Alice and Bob to receive presents as well. What she will do is to front-run Alice and Bob transactions to collectPresent()
and set their status to 'NAUGHTY'. By doing that, they will not be able to receive their presents.
Prevent users from getting their presents
Manual Review, Foundry
Created the following test case and added to SantasListTest.t.sol
Test passes:
Add modifier to checkList
to ensure that it is called by santa
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.